Enabling HTTPS on a WordPress website

More and more websites are installing an SSL certificate and converting to HTTPS (secure http). Traditionally e-commerce websites enforce HTTPS on their logged in and checkout pages, however there is a movement supported by big firms like Google, Microsoft, Mozilla to encourage webmasters to convert their websites to HTTPS only. With this in mind, Spiral Hosting are making it easier than ever to secure your website with HTTPS. We have introduced a new AutoSSL feature on all our shared hosting, enterprise hosting and reseller hosting plans. The AutoSSL feature is enabled by default so our hosting clients can enforce HTTPS on their websites.

Whether you use the 90-day AutoSSL provided with your web hosting or you use one of the big brand certificates we sell from Comodo, GeoTrust or GlobalSign, you can easily update your WordPress website to run using HTTPS.

Step 1 - Check that an SSL certificate is installed on your website

Please type your website address into https://sslanalyzer.comodoca.com/

In most cases you'll see a 1 year certificate from one of our SSL partners, the issuer will say "Comodo", "GeoTrust" or "GlobalSign", or the 90-day AutoSSL certificate issued by "cPanel Inc".

If the SSL certificate has been issued by "Cloudflare Inc" you'll need to activate SSL via your Cloudflare dashboard. Login via your cPanel control panel or cloudflare.com, then find the SSL option, and change it from Off/Flexible to "Full SSL".

Step 2 - Update the Site URL values under General > Settings in your WordPress admin dashboard.

WordPress Site URL

Make sure these two URL values begin with https and not http!

Step 3 - Use an .htaccess file to force redirect all HTTP requests to HTTPS.

Simply add the following 3 lines to your .htaccess file:

RewriteEngine On 
RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*)$ https://www.exampledomain.com/$1 [R,L]

If you do not have an .htaccess file, simply create one in the main directory of your website (public_html).

Don't forget to replace exampledomain.com with your actual domain name!

Step 4 - Force WordPress admin pages to use SSL.

Open the wp-config.php file and add the following 1 line of code:

define('FORCE_SSL_ADMIN', true);

The wp-config.php file is found in your main website directory (normally public_html).

Step 5 - Check your website for any non HTTPS content

Your website should now be running on 100% HTTPS, but if any part of your website theme or plugins use non-HTTPS images, stylesheets or other content, it will cause a warning on most web browsers. We recommend typing your website address into the site scanner at https://www.whynopadlock.com/

If the site scanner finds any "mixed content" on your website, you have two options. You can manually go through the images/content and update the relevant code to use HTTPS instead of HTTP, or you can use a WordPress plugin to force the content to be delivered over HTTPS. For example, a plugin called Really Simple SSL.

If the site scanner continues to give warnings, we recommend discussing the issue with your website developer.